Category Archives: Cyberwar

Post navigation

Rule No 1 in international relations: do not assume that your adversary is nuts. Rule No 2: do not underestimate his capacity to inflict serious damage on you. We in the west are currently making both mistakes with regard to North Korea. Our reasons for doing so are, at one level, understandable. In economic terms, the country is a basket case. According to the CIA’s world factbook, its per-capita GDP is $1,800 or less, compared with nearly $40,000 for the UK and $53,000 for the US. Its industrial infrastructure is clapped out and nearly beyond repair; the country suffers from chronic food, energy and electricity shortages and many of its people are malnourished. International sanctions are squeezing it almost to asphyxiation. And, to cap it all, it’s led by a guy whose hairdo is almost as preposterous as Donald Trump’s.

And yet this impoverished basket case has apparently been able to develop nuclear weapons, plus the rocketry needed to deliver them to Los Angeles and its environs. Given the retaliatory capacity of the US, this is widely taken as proof that Kim Jong-un must be out of what might loosely be called his mind. Which is where rule No1 comes in…

“Kim Jong-un is ruthless in his quest for power and survival, and hacking, even more than the nuclear power North Korea is rapidly developing, is the perfect weapon for a small, impoverished, isolated, totalitarian state.”

DEADLINE: How could this have happened, that terrorists achieved their aim of cancelling a major studio film? We watched it unfold, but how many people realized that Sony legitimately was under attack?

GEORGE CLOONEY: A good portion of the press abdicated its real duty. They played the fiddle while Rome burned. There was a real story going on. With just a little bit of work, you could have found out that it wasn’t just probably North Korea; it was North Korea. The Guardians of Peace is a phrase that Nixon used when he visited China. When asked why he was helping South Korea, he said it was because we are the Guardians of Peace. Here, we’re talking about an actual country deciding what content we’re going to have. This affects not just movies, this affects every part of business that we have. That’s the truth. What happens if a newsroom decides to go with a story, and a country or an individual or corporation decides they don’t like it? Forget the hacking part of it. You have someone threaten to blow up buildings, and all of a sudden everybody has to bow down. Sony didn’t pull the movie because they were scared; they pulled the movie because all the theaters said they were not going to run it. And they said they were not going to run it because they talked to their lawyers and those lawyers said if somebody dies in one of these, then you’re going to be responsible.

This is interesting because it suggests a promising new line for real and would-be ‘terrorists’: simply issue vague threats about nameless horrors to be visited upon public venues in the US and corporate lawyers will do the rest.

Most cyberattacks to date—by China, Russia, Iran, Syria, North Korea, Israel, the United States, and a dozen or so other nations, as well as scads of gangsters and simple mischief-makers—have been mounted in order to steal money, patents, credit card numbers, or national-security secrets. Whoever hacked Sony (probably a North Korean agency or contractor) did so to put pressure on free speech—in effect, to alter American popular culture and suppress constitutional rights.

Matt Devost, president and CEO of FusionX LLC, one of the leading computer-security firms dotting the Washington suburbs, told me in an email this morning, “This is the dawn of a new age. No longer do you have to worry just about the theft of money or intellectual property, but also about attacks that are designed to be as destructive as possible—and to influence your behavior.”

Bob Gourley, co-founder and partner of Cognito, another such firm, agrees. “I have tracked cyber threats since December 1998 and have never seen anything like this. It might have roots in the early Web-defacements for propaganda”—usually by anti-war or animal-rights groups—“but they were child’s play, done really for bragging rights. A new line has been crossed here.”

And the attack has had effects. Sony has canceled the film’s scheduled release due to terrorist threats against theaters (even though no evidence links the source of the threats to the source of the hacking). While a Seth Rogen comedy is an unlikely cause for a protest of principle, a case can be made that Sony’s submission to political pressure—especially pressure from a foreign source, especially if that source is Kim Jong-un—should be protested.

Well, it might be seen as an attack on American popular culture, I suppose.

Apparently some (off-the-record-natch) US sources think that Kim Jong Un and his chaps are responsible. In which case it’s an instance of cyberwarfare, not just an anti-corporate stunt.

And, as @dangillmor asks, “Are these the same US govt people who determined that Iraq had weapons of mass destruction?”

Back in 2000 when Napster was raging, I kept writing blog posts asking this basic question. Isn’t there some way the music industry can make billions of dollars off the new excitement in music?#

Turns out there was. Ask all the streaming music services that have been born since the huge war that the music industry had with the Internet. Was it necessary? Would they have done better if they had embraced the inevitable change instead of trying to hold it back? The answer is always, yes, it seems.#

Well, now it seems Sony is doing it again, on behalf of the movie industry. Going to war with the Internet. Only now in 2014, the Internet is no longer a novel plaything, it’s the underpinning of our civilization, and that includes the entertainment industry. But all they see is the evil side of the net. They don’t get the idea that all their customers are now on the net. Yeah there might be a few holdouts here and there, but not many. #

What if instead of going to war, they tried to work with the good that’s on the Internet? It has shown over and over it responds. People basically want a way to feel good about themselves. To do good. To make the world better. To not feel powerless. It’s perverted perhaps to think that Hollywood which is so averse to change, could try to use this goodwill to make money, but I think they could, if they appealed to our imaginations instead of fear.#

At dinner last night I had a long talk with one of my Masters students who is as baffled as I am about why people seem to be so complacent about online surveillance. This morning a colleague sent me a link to this TEDx talk by Mikko Hypponen, a well known Finnish security expert. It’s a terrific lecture, but one part of it stood out especially for me in the context of last night’s conversation. It concerned an experiment Hypponen and his colleagues ran in London, where they set up a free wi-fi hot-spot that anyone could use after they had clicked to accept the terms & conditions under which the service was offered. One of the terms was this:

In a sentence: it lumps three very different things — crime, espionage and warfare — under a single heading. And, as I tried to point out in yesterday’s Observer column, instead of making cyberspace more secure many of the activities classified as ‘cyber security’ make it less so.

Last week we learned about a striking piece of malware called Regin that has been infecting computer networks worldwide since 2008. It’s more sophisticated than any known criminal malware, and everyone believes a government is behind it. No country has taken credit for Regin, but there’s substantial evidence that it was built and operated by the United States.

This isn’t the first government malware discovered. GhostNet is believed to be Chinese. Red October and Turla are believed to be Russian. The Mask is probably Spanish. Stuxnet and Flame are probably from the U.S. All these were discovered in the past five years, and named by researchers who inferred their creators from clues such as who the malware targeted.

I dislike the “cyberwar” metaphor for espionage and hacking, but there is a war of sorts going on in cyberspace. Countries are using these weapons against each other. This affects all of us not just because we might be citizens of one of these countries, but because we are all potentially collateral damage. Most of the varieties of malware listed above have been used against nongovernment targets, such as national infrastructure, corporations, and NGOs. Sometimes these attacks are accidental, but often they are deliberate.

For their defense, civilian networks must rely on commercial security products and services. We largely rely on antivirus products from companies such as Symantec, Kaspersky, and F-Secure. These products continuously scan our computers, looking for malware, deleting it, and alerting us as they find it. We expect these companies to act in our interests, and never deliberately fail to protect us from a known threat.

This is why the recent disclosure of Regin is so disquieting. The first public announcement of Regin was from Symantec, on November 23. The company said that its researchers had been studying it for about a year, and announced its existence because they knew of another source that was going to announce it. That source was a news site, the Intercept, which described Regin and its U.S. connections the following day. Both Kaspersky and F-Secure soon published their own findings. Both stated that they had been tracking Regin for years. All three of the antivirus companies were able to find samples of it in their files since 2008 or 2009.

Yep. Remember that the ostensible mission of these companies is to make cyberspace more secure. By keeping quiet about the Regin threat they did exactly the opposite. So, as Schneier concludes,

Right now, antivirus companies are probably sitting on incomplete stories about a dozen more varieties of government-grade malware. But they shouldn’t. We want, and need, our antivirus companies to tell us everything they can about these threats as soon as they know them, and not wait until the release of a political story makes it impossible for them to remain silent.

It’s terrific that Bletchley Park has not only been rescued from the decay into which the site had fallen, but brilliantly restored, thanks to funding from the National Lottery (£5m), Google (which donated £500,000) and the internet security firm McAfee. I’ve been to the Park many times and for years going there was a melancholy experience, as one saw the depredations of time and weather inexorably outpacing the valiant efforts of the squads of volunteers who were trying to keep the place going.

Even at its lowest ebb, Bletchley had a magical aura. One felt something akin to what Abraham Lincoln tried to express when he visited Gettysburg: that something awe-inspiring had transpired here and that it should never be forgotten. The code-breaking that Bletchley Park achieved was an astonishing demonstration of the power of collective intelligence and determination in a quest to defeat the gravest threat that this country had ever faced.

When I was last there, the restoration was almost complete, and I was given a tour on non-disclosure terms, so I had seen what the duchess saw on Wednesday. The most striking bit is the restoration of Hut 6 exactly as it was, complete with all the accoutrements of the tweedy, pipe-smoking genuises who worked in it, right down to the ancient typewriters, bound notebooks and the Yard-O-Led mechanical pencil that one of them possessed.

There have been persistent whispers that the United States and Israel collaborated on the Stuxnet worm, which hit the computer systems of a nuclear plant in Iran a few years ago and was discovered in 2010. Earlier this month, spyware dubbed Flame was found on computers in Iran and elsewhere in the Middle East. Security experts have said Stuxnet and Flame have the same creators. Now the Washington Post reports, citing anonymous “Western officials,” that the U.S. and Israel were those creators; that Flame was created first; and that Flame and Stuxnet are part of a broader cyber-sabotage campaign against Iran. That campaign started under President George Bush and is continuing under President Barack Obama, according to a New York Times report earlier this month. (See Burning questions about Flame and cyberwar.) The Washington Post report describes Flame as “among the most sophisticated and subversive pieces of malware to be exposed to date” — a fake Microsoft software update that allows for a computer to be watched and controlled from afar.

The basic scenario hasn’t changed. Because of technological changes, we are told, criminals and terrorists are using internet technologies on an increasing scale. Some of these technologies (eg Skype) make it difficult for the authorities to monitor these evil communications. So we need sweeping new powers to enable the government to defend us against these baddies. These powers are as yet unspecified but will probably include “deep packet inspection” as a minimum. And, yes, these new measures will be costly and intrusive, but there will be “safeguards”.

The fierce public reaction to these proposals seems to have taken the government by surprise, which suggests ministers have been asleep at the wheel. My hunch is that the proposals were an attempt by the security services to slip one over politicians by selling them to senior officials in the Home Office, who, like their counterparts across the civil service, know sweet FA about technology and are liable to believe 10 implausible assertions before breakfast. In that sense, the Home Office has been “captured” by GCHQ and MI5 much as the health department has been captured by consultancy companies flogging ludicrous ICT projects….

If you write about technology, then sooner or later you’re going to meet a smartarse who asks whether you’ve read Heidegger’s The Question Concerning Technology. Having encountered a number of such smartarses in recent years, I finally decided to do something about it, and obtained a copy of the English translation, published in 1977 by Harper & Row. Having done so, I settled down with a glass of sustaining liquor and embarked upon the pursuit of enlightenment.

Big mistake. “To read Heidegger,” writes his translator, William Lovitt, “is to set out on an adventure.” It is. Actually, it’s like embarking on one of those nightmares in which you’re wading through quicksand and every time you grasp a rope or a rock it comes apart in your hand. And it turns out that Heidegger’s fiendish technique is actually to lure you into said quicksand.

A top White House cybersecurity aide said yesterday that transnational cybercrime, such as thefts of credit-card numbers and corporate secrets, is a far more serious concern than ‘cyberwar’ attacks against critical infrastructure such as the electricity grid.

Christopher Painter, the White House’s senior director for cybersecurity, made his comments at a conference arranged by top Russian cybersecurity officials in Garmisch-Partenkirchen, Germany. Russia is a major source of cybercrime, but its government has declined to sign the European Convention on Cybercrime–the first international treaty on the subject. The treaty aims to harmonize national laws and allow for greater law-enforcement cooperation between nations.

Painter acknowledged that critical infrastructure needed to be made more secure, but said that the best defenses start by cracking down on crime. “There are a couple of things we need to do to harden the targets, and make the systems as secure as possible,” he said. “But the other thing you need to do is reduce the threat. And the predominant threat we face is the criminal threat–the cybercrime threat in all of its varied aspects.”